Last month, the OpenDNS security team took part in the Virus Bulletin 2014 Conference. During the conference, I first presented “Sweeping the IP space: the hunt for evil on the Internet” on Sep 24th, and then co-presented “Design to discover: security analytics with 3D visualization engine” on Sep 26th with Thibault Reuille.
We enjoyed several very good technical talks at the conference as well as numerous discussions with speakers and attendees. Such events can be a good opportunity to forge partnerships for the exchange of data and shared intelligence. Kudos to Virus Bulletin and our friend Martijn and his crew for the neat organization.
A good number of talks are available on Virus Bulletin’s website and several of them caught our interest, of which we mention a few below:
In “Hiding the network behind the network. Botnet proxy business model” Cristina Vatamanu presented her very insightful work about dissecting a proxy network that is rented to botnet owners for C&C communication with colleagues Alexandru Maximciuc and Razvan Benchea. A key element in this network model is that it has at least two levels of proxies protecting the real C&C servers, with proxy level 1 being responsible for redirecting the DNS traffic (on UDP port 53) and HTTP traffic (on port 80) to a backend central DNS server and proxy level 2 respectively. This proxy network has notably been used by Citadel and Cryptolocker. We have covered a different fast flux proxy network from a DNS and IP perspective in  but the talk by Cristina and co. comes as a excellent complementary behind-the-scenes look at one such network.
In “Can we trust a trustee? An in-depth look into the digitally signed malware industry”, Adrian Stefan Popescu and Gheorghe Jescu presented an analysis of different methods for using a certificate to digitally sign malware files, using either a stolen certificate originally issued to a trusted IT company, or certificates that are issued for certain developers who use them with malicious intent. They also described cases of the same abused certificates used by not only one but several malware families.
I also enjoyed “P0wned by a barcode: stealing money from offline users” where Fabio Assolini described Boleto, a very popular and easy payment method in Brazil. Since early 2013 Boleto has been the target of malware writers who developed trojans programmed to change boletos locally when they are generated by the computer or browser. With this forgery, the user unknowingly ends up submitting the payments to the cybercriminals’ accounts.
Finally, “OPSEC for security researchers” by Vicente Diaz and Dani Creus was also quite an interesting talk as it described fundamentals, tips and tricks of Operational Security for researchers. I’d like to share this quote from the talk: “[t]he golden rule in Operational Security is silence as a defensive discipline. If you don’t really need to say something, then don’t. If you do need to talk to someone, do it in a secure way where you don’t compromise the content of your message and, if possible, don’t generate metadata on the communication”. There were more good talks we liked at Virus Bulletin but unfortunately we cannot cover all of them.
Before coming back to the city, I also took the opportunity to visit Seattle and enjoy a hike to Mount Rainier with a couple local friends – which was fabulous, as you can see here.
Shortly after the conference Thibault and I were invited by our friend Morton Swimmer from TrendMicro to give a talk at the company’s Forward-looking Threat Research (FTR) team’s meeting down in Cupertino, CA. We presented the talk “Visualization of IP and DNS data” on Oct 15th in which we shared some relevant use cases of combining DNS and IP space investigation with visualization to detect Internet threats.
The event also featured other guest speakers from Twitter and Facebook and we spent the rest of the day having valuable discussions with several “Trenders”. Thank you TrendMicro for your hospitality!